Mysterious malware with suspected links to Russia infecting US-based embassies

Security researchers have uncovered a hacking campaign that is actively targeting a slew of diplomatic, government and embassy websites in the US using a form of computer malware that has previously been linked to a Russian cybercrime group.

According to Forcepoint, a cybersecurity firm, the mysterious hackers are using a stealthy tactic long-associated with a group dubbed "Turla". Believed to be a reconnaissance mission, the researchers said it shows some signs of nation-state involvement.

"The majority of the targeted sites were ministry and embassy sites although sites with different profiles were also compromised," said security researcher Roland Dela Paz in a blog post. "Interestingly, all the targeted embassies [were] located in Washington DC."

The group's malware – also branded "Turla" – has attacked the foreign affairs ministries of Kyrgyzstan, Moldova and Uzbekistan, a political party in Austria, a socialist organisation in Spain and the US-based embassies of Iraq, Jordan, Zambia and Russia.

The hackers behind the campaign are using Google Analytics scripts to help disguise malicious software injected into compromised websites. They can then "evaluate" the site's visitors as they are directed to the websites before delivering malware.

Once inside, the hackers can snoop on computers connected to the network, send stolen content back to their command and control (C&C) severs or simply play the waiting game.

This campaign dates as far back as December 2015, with the earliest actual compromise being recorded in April the following year. Some websites were hijacked for a brief period, while some remained compromised for as long as 10 months, Forcepoint revealed.

"It is unknown what the intent behind the campaign is at the time of writing, however, the profile of the targets resembles those [...] of Advanced Persistent Threat (APT) actors," Dela Paz said, alluding to a term commonly used to describe government-backed hackers.

"The tactics and the targeting of this campaign overlaps with those of the Turla group. However, no conclusive evidence is available to confirm a relationship between the two and the motive behind this campaign is yet to be uncovered," he added.

Forcepoint said it notified the administrators of the sites that were confirmed to be compromised, but noted the attack likely remains active.

Back in 2014, according to reports by Reuters, the Turla group was blamed for targeting "hundreds" of government computers across Europe and the US. Researchers and intelligence officials at the time believed the malware used in the campaign was state-sponsored.

The previous year, cybersecurity firm Symantec uncovered Turla infections at embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany. The malware was an evolution of "Trojan.Minit" which has been in circulation since 2004.

"The campaign is the work of a well-resourced and technically competent attack group that is capable of penetrating many network defences." Symantec said. "It is focused on targets that would be of interest to a nation-state, with spying and theft of sensitive data among its objectives."